From 00f92e8d8c57a1bad6d7d3e158b729f9707cdc60 Mon Sep 17 00:00:00 2001 From: otto <> Date: Mon, 11 Nov 2019 06:32:52 +0000 Subject: [PATCH] Also implement "trusted" for sensors; do not do constraint validation for these. ok deraadt@ --- src/usr.sbin/ntpd/ntp.c | 5 +++-- src/usr.sbin/ntpd/ntpd.c | 6 +++--- src/usr.sbin/ntpd/ntpd.h | 5 ++++- src/usr.sbin/ntpd/parse.y | 11 +++++++++-- src/usr.sbin/ntpd/sensors.c | 5 +++-- 5 files changed, 22 insertions(+), 10 deletions(-) diff --git a/src/usr.sbin/ntpd/ntp.c b/src/usr.sbin/ntpd/ntp.c index f3f50413..02c5b6bd 100644 --- a/src/usr.sbin/ntpd/ntp.c +++ b/src/usr.sbin/ntpd/ntp.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntp.c,v 1.161 2019/11/10 19:24:47 otto Exp $ */ +/* $OpenBSD: ntp.c,v 1.162 2019/11/11 06:32:52 otto Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -300,7 +300,8 @@ ntp_main(struct ntpd_conf *nconf, struct passwd *pw, int argc, char **argv) idx_clients = i; if (!TAILQ_EMPTY(&conf->ntp_conf_sensors) && - (constraint_cnt == 0 || conf->constraint_median != 0)) { + (conf->trusted_sensors || constraint_cnt == 0 || + conf->constraint_median != 0)) { if (last_sensor_scan == 0 || last_sensor_scan + SENSOR_SCAN_INTERVAL <= getmonotime()) { sensors_cnt = sensor_scan(); diff --git a/src/usr.sbin/ntpd/ntpd.c b/src/usr.sbin/ntpd/ntpd.c index f60569ee..d54d35c8 100644 --- a/src/usr.sbin/ntpd/ntpd.c +++ b/src/usr.sbin/ntpd/ntpd.c @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.c,v 1.127 2019/11/11 01:04:55 deraadt Exp $ */ +/* $OpenBSD: ntpd.c,v 1.128 2019/11/11 06:32:52 otto Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -114,8 +114,8 @@ auto_preconditions(const struct ntpd_conf *cnf) if (sysctl(mib, 2, &securelevel, &sz, NULL, 0) == -1) err(1, "sysctl"); constraints = !TAILQ_EMPTY(&cnf->constraints); - return !cnf->settime && (constraints || cnf->trusted_peers) && - securelevel == 0; + return !cnf->settime && (constraints || cnf->trusted_peers || + conf->trusted_sensors) && securelevel == 0; } #define POLL_MAX 8 diff --git a/src/usr.sbin/ntpd/ntpd.h b/src/usr.sbin/ntpd/ntpd.h index 3f1ffbf7..04940e76 100644 --- a/src/usr.sbin/ntpd/ntpd.h +++ b/src/usr.sbin/ntpd/ntpd.h @@ -1,4 +1,4 @@ -/* $OpenBSD: ntpd.h,v 1.147 2019/11/10 19:24:47 otto Exp $ */ +/* $OpenBSD: ntpd.h,v 1.148 2019/11/11 06:32:52 otto Exp $ */ /* * Copyright (c) 2003, 2004 Henning Brauer @@ -189,6 +189,7 @@ struct ntp_sensor { u_int8_t stratum; u_int8_t weight; u_int8_t shift; + u_int8_t trusted; }; struct constraint { @@ -213,6 +214,7 @@ struct ntp_conf_sensor { int correction; u_int8_t stratum; u_int8_t weight; + u_int8_t trusted; }; struct ntp_freq { @@ -242,6 +244,7 @@ struct ntpd_conf { u_int8_t noaction; u_int8_t filters; u_int8_t trusted_peers; + u_int8_t trusted_sensors; time_t constraint_last; time_t constraint_median; u_int constraint_errors; diff --git a/src/usr.sbin/ntpd/parse.y b/src/usr.sbin/ntpd/parse.y index 51f1ddb0..8d7ab09d 100644 --- a/src/usr.sbin/ntpd/parse.y +++ b/src/usr.sbin/ntpd/parse.y @@ -1,4 +1,4 @@ -/* $OpenBSD: parse.y,v 1.75 2019/11/10 19:24:47 otto Exp $ */ +/* $OpenBSD: parse.y,v 1.76 2019/11/11 06:32:52 otto Exp $ */ /* * Copyright (c) 2002, 2003, 2004 Henning Brauer @@ -183,6 +183,8 @@ main : LISTEN ON address listen_opts { p = new_peer(); p->weight = $3.weight; p->trusted = $3.trusted; + conf->trusted_peers = conf->trusted_peers || + $3.trusted; p->query_addr4 = query_addr4; p->query_addr6 = query_addr6; p->addr = h; @@ -223,6 +225,8 @@ main : LISTEN ON address listen_opts { p->weight = $3.weight; p->trusted = $3.trusted; + conf->trusted_peers = conf->trusted_peers || + $3.trusted; p->query_addr4 = query_addr4; p->query_addr6 = query_addr6; p->addr_head.a = p->addr; @@ -319,6 +323,9 @@ main : LISTEN ON address listen_opts { s->correction = $3.correction; s->refstr = $3.refstr; s->stratum = $3.stratum; + s->trusted = $3.trusted; + conf->trusted_sensors = conf->trusted_sensors || + $3.trusted; free($2); TAILQ_INSERT_TAIL(&conf->ntp_conf_sensors, s, entry); } @@ -428,6 +435,7 @@ sensor_opt : correction | refid | stratum | weight + | trusted ; correction : CORRECTION NUMBER { @@ -481,7 +489,6 @@ rtable : RTABLE NUMBER { trusted : TRUSTED { opts.trusted = 1; - conf->trusted_peers = 1; } %% diff --git a/src/usr.sbin/ntpd/sensors.c b/src/usr.sbin/ntpd/sensors.c index 4ca9a554..ff0eec09 100644 --- a/src/usr.sbin/ntpd/sensors.c +++ b/src/usr.sbin/ntpd/sensors.c @@ -1,4 +1,4 @@ -/* $OpenBSD: sensors.c,v 1.53 2019/11/10 07:32:58 otto Exp $ */ +/* $OpenBSD: sensors.c,v 1.54 2019/11/11 06:32:52 otto Exp $ */ /* * Copyright (c) 2006 Henning Brauer @@ -134,6 +134,7 @@ sensor_add(int sensordev, char *dxname) s->weight = cs->weight; s->correction = cs->correction; s->stratum = cs->stratum - 1; + s->trusted = cs->trusted; if ((s->device = strdup(dxname)) == NULL) fatal("sensor_add strdup"); s->sensordevid = sensordev; @@ -195,7 +196,7 @@ sensor_query(struct ntp_sensor *s) s->last = sensor.tv.tv_sec; - if (!TAILQ_EMPTY(&conf->constraints)) { + if (!s->trusted && !TAILQ_EMPTY(&conf->constraints)) { if (conf->constraint_median == 0) { return; }